This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.
2014 ended with a cyber-security “bang” in the form of the Sony Pictures Entertainment cyber-attack and the breach at Deloitte, and 2015 is starting with a “boom” in healthcare privacy rules that will resonate for healthcare providers, plans and Business Associates, including cloud service providers. On January 13, 2014 Jocelyn Samuels, Director of the Office for Civil rights (OCR), the division of the U.S. Department of Health and Human Services that enforces HIPAA laws, announced that a new round of HIPAA audits is contemplated for later this year, and that OCR will issue a guidance document on the use of cloud computing in healthcare for Protected Health Information (PHI).
An enhanced HIPAA security audit program had been scheduled for 2014, but had been delayed due to software difficulties and the need to revise the OCR audit protocol. While Ms. Samuels declined to provide a timeline for commencement of the audits, she stated that the audits represent a shift away from OCR’s prior model of investigation and proceedings instigated by a complaint. The Director said, “OCR is committed to implementing an effective audit program, and audits will be an important compliance tool for OCR.” The audits “Will enable OCR to identify best practices and proactively uncover risks and vulnerabilities, like our other enforcement tools, such as complaints and compliance reviews.” For the first time, the audits will include HIPAA Business Associates, those organizations that access PHI to perform a service for providers and plans, and include law firms, accountants and consultants.
The Director emphasized an area that is sure to figure prominently in the new audits when she provided a recap of recent enforcement activities with regard to cyber-attacks on providers and plans, including a settlement of a proceeding Anchorage Community Mental Health Services in December, 2014, for a cyber-attack that resulted in a breach of 2,743 patients. The OCR Press Release noted the lack of a current Security Risk Analysis, updated security policies and information security monitoring and implementation of patches all of which, OCR stated, contributed to the attack. “These types of cases,” Director Samuels said in her January 13, 2015 remarks, “Can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and audit procedures, and HIPAA compliance training of workforce members.” Audit letters received by some providers in late 2014 asked for copies of information security policies, training materials about those policies along with proof that the work force had been trained on them, and a copy of the most recent penetration testing and security analyses. The Anchorage settlement noted that the information security polices of that entity had not been updated since 2005.
It does not appear that cloud service providers will be exempt from the new round of audits; quite the contrary. Director Samuels noted that a “clarification” of OCR’s position with regard to steps to achieve HIPAA compliant cloud storage of PHI will be issued in 2015. It will, because of the complexities and controversy surrounding hosting of PHI, most probably take the form of Guidance documents that comprises HIPAA guidelines and suggestions. Previous guidance documents include the Guidance on Risk Analysis Requirements under the HIPAA Security Rule and, before that, the OCR Guidance on Encryption (Guidance to Render Unsecured Protected Health Information Unusable Unreadable or Indecipherable to Unauthorized Individuals). No further details on the anticipated document were provided by Director Samuels but, if this Guidance document is in a similar format to those that preceded it, the document will comprise a HIPAA compliance checklist for Master Services Agreement, Terms and Conditions and Business Associate Agreement that meet the HIPAA requirements of the HIPAA Security Rule. This guidance will, in turn, inform all future contract documents between healthcare providers and plans and cloud hosting providers. As more entities move PHI to the cloud, for reasons ranging from cost to security, OCR will look more carefully at cloud engagements during these audits.
Of course, if there is a breach by, or cyber-attack on a cloud service provider, OCR will audit with great scrutiny and may revise the Guidance document, or issue responses to Frequently Asked Questions (FAQ’s) on its website. It will be incumbent on all entities that use, store, access or disclose PHI to do what OCR advised: monitor for weaknesses and vulnerabilities in information security, but also for changes in HIPAA compliance requirements.